OU vs. Domain GPO's

  • Thread starter Thread starter John J. Rambone
  • Start date Start date
J

John J. Rambone

I have created an OU for 1 user. I have locked down the OU so the only
thing that appears is a start menu and IE and IE is locked down to only go
to 1 address inside the company. I want the 1 user to have a blank
password, but I have complex password defined for my Domain. I thought the
OU took precedence over the domain gpo. Is there a work around for this?

John J.
 
Just remember this:

LSDOU

Local
Site
Domain
OU

(LSDOU) That's the order of inheritance.

The LAST on to be applied, wins. (We won't get into to Blocked Inheritance,
and filtering)

Bruce Meyer
 
John,

No, password policy is set at the domain level. And there can be only one.
If you set a password policy at the OU level it will not affect the users,
it will affect whatever computer account objects ( local accounts
passwords ) might be contained in that particular OU.

The only way that I could think that this *might* work would be to undo the
password complexity setting and create the user account with the
userAccountControl attribute set to '66048' ( the 'Password never expires'
checkbox checked - maybe use ldifde to create the user account? ) and then
later reset the password complexity. Not really sure that you want to start
messing with this, though. I am not sure that I understand why you would
want to have this nice password policy / complexity for the entire domain
and then have one account that would be vulnerable. What are you trying to
do with this one account.

BTW - you are correct in that *typically* the pecking order for GPOs is
Local, Site, Domain and OU. However, as this is a password policy it is
specifically set at the domain level ( either via the Default Domain Policy
or the Domain Security Policy - either one works ).


HTH,

Cary
 
Well, we have a web based time clock program that is used by people in the
company that do not have computers. I have setup a kiosk machine here and
there (different sites), but there are a few locations where it makes sense
so use for example the warehouse computer, etc. On those computers I've
setup a local user just so people can login to and punch in and out for
work. (issue is people forget to change form domain to local computer and
back again). I was hoping to move away from local users and setup a domain
user with a locked down setup. I just wanted the password to be blank.
Another issue is a user will leave their computer open and then non-computer
user will go the website to clock out or in and start surfing on that
computer.

These issues are user education related, etc. Just trying to save myself a
phone call or two every now and then.
 
John if you have the option for security reasons may deploy another domain
or a child domain since password policies are domain wide. Workstations are
available to login to multiple domains. Other wise you can use auto login,
but I don't recommend that personally.

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup
 
Back
Top